Local 1 : 1 NAT
-
on my switches i put all client ports into "protected mode"
the vlans are (currently) assigned via mac (hopefully i will use certificates/radius later)
the protected port mode stops layer2 traffic between the protected ports - that way a client-PC can not connect to another PC in the same vlan/net but can connect to the servers and gateways
(this avoids/makes harder attacks like "arp poisoning"/"pass the hash"/.. )thats fine for almost all applications (as far as i can foresee)
but there is one vlan that needs to communicate with clients in the same net (using a handful of fixed ports)
i would like to keep all client side- ports in the "protected mode" so anyone can put a device into any (client side) port and automatically gets the correct vlan
so i need to circumvent the protection for this specific vlan
my idea was this:
client (ip: 10.11.12.13/24) wants to connect to 10.11.12.14
client connects to 10.11.13.14 (this ip is not in the client routing table) and will be routed to the pfsense gateway
in pfsense i do a 1:1 NAT so the 10.11.13.14 ip is converted to 10.11.12.14 and goes back to the wanted clientbut sadly i failed to accomplish this
it could be i am mistaken in whats possible/sane for such a scenario